Payload Decoded and Decrypted via Built-in Utilities

Rule Info

Name
Payload Decoded and Decrypted via Built-in Utilities
Author
Tim Rauch (rule), Elastic (idea)
Description
Detects when a built-in utility is used to decode and decrypt a payload after a macOS disk image (DMG) is executed. Malware authors may attempt to evade detection and trick users into executing malicious code by encoding and encrypting their payload and placing it in a disk image file. This behavior is consistent with adware or malware families such as Bundlore and Shlayer.
Reference
https://github.com/elastic/protections-artifacts/commit/746086721fd385d9f5c6647cada1788db4aea95f#diff-5d42c3d772e04f1e8d0eb60f5233bc79def1ea73105a2d8822f44164f77ef823
Date
2022-10-17 00:00:00
Modified
None
Id
234dc5df-40b5-49d1-bf53-0d44ce778eca
Tags
attack.t1059 attack.t1204 attack.execution attack.t1140 attack.defense-evasion attack.s0482 attack.s0402
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=234dc5df-40b5-49d1-bf53-0d44ce778eca

Rule History

Author
Title
Date
Commit
Nasreddine Bencherchali
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes
2024-08-12
598d29f81
frack113
Merge PR #4479 From @frack113 - Upgrade Rules Status
2023-10-17
020fc8061
Gude5
new rules: Sigma rules based on Elastic rules (#3632)
2022-10-28
a3e685676
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022